Version 1.0

Privacy Notice

Taal's Friend Loyalty Program

Everybody Taal B.V. KvK nr. 96939060
01

Who is responsible for your data

Everybody Taal B.V., trading as Taal Coffee & More, registered with the Dutch Chamber of Commerce (KvK) under number 96939060, J.J. Cremerplein 34, 1054 TL Amsterdam, the Netherlands ("Taal", "we"), is the controller for the personal data processed in connection with the Taal's Friend loyalty program.

For any questions or requests about your data, contact us at taal.coffee@gmail.com.

We use Tap2 B.V. as our service provider to run the digital loyalty card platform. Tap2's supplementary end-customer privacy notice is available at tap2.ai/end-customer-privacy-notice.

02

What data we collect – and what we deliberately don't

We keep the program data-minimal. We process:

  • Your email address, provided at signup
  • Your marketing preference (whether you ticked the optional consent box)
  • A card identifier and your stamps, rewards, and redemption history
  • Technical information needed by Apple Wallet or Google Wallet to issue and update your card, and basic notification interaction data

We do not collect:

  • Your name
  • Payment card details
  • What you purchased item-by-item
  • Your location

Your bank or payment provider is not connected to the loyalty card in any way.

03

Why we use your data and on what legal basis

Purpose Data used Legal basis (Art. 6 GDPR)
Operating the loyalty program: issuing your card, recording stamps, enabling rewards Email address, card identifier, stamps and rewards balance Performance of a contract (Art. 6(1)(b))
Service communications: stamp/reward updates, changes to the program or these documents Email address, card identifier Performance of a contract; legitimate interest (Art. 6(1)(b), (f))
Marketing: promotional wallet notifications and emails about offers and news Email address, card identifier Your consent (Art. 6(1)(a)) – only if you ticked the box at signup; withdrawable at any time
Fraud prevention and security Card identifier, stamp activity, technical logs Legitimate interest (Art. 6(1)(f))
Aggregated analytics to understand program use (e.g., how many rewards are redeemed) Aggregated or pseudonymized usage data Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations (e.g., handling rights requests) Relevant records Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, you have the right to object (see section 8). We never use your data for automated decision-making with legal or similarly significant effects.

04

Location and notifications – how this actually works

Your digital card can appear on your lock screen when you are near a Taal location. This works through a built-in feature of Apple Wallet and Google Wallet: the locations of our cafés are stored on the card, and your own device compares them with its position. This happens entirely on your device.

You are always in control of notifications:

  1. Apple Wallet: open the card, tap the "…" button, switch off "Allow Notifications"
  2. Google Wallet: open the card, tap the menu, and disable notifications for this pass
  3. Promotional emails: use the unsubscribe link in any email, or contact us
  4. Everything at once: remove the card from your wallet – this ends participation and all notifications
05

Who receives your data

  • Tap2 B.V. — operates the loyalty platform on our behalf under a data processing agreement, and with Tap2's vetted subprocessors (such as cloud hosting and notification delivery providers; the current list is published at tap2.ai/subprocessors)
  • Apple and Google — process technical data needed to host the card in your wallet under their own terms and privacy policies, as independent providers of the wallet service

Where data is transferred outside the European Economic Area, this takes place on the basis of the European Commission's Standard Contractual Clauses, supplemented by additional safeguards where required. We do not sell your data and do not share it with third parties for their own marketing.

06

How long we keep your data

Loyalty data (email, card, stamps)

For as long as you participate. If your card is unused for 24 consecutive months, it is deactivated and your data is deleted or anonymized.

Marketing consent records

Until you withdraw consent, plus a limited record of the withdrawal itself to prove compliance.

Card removal or deletion request

Deletion within 30 days, unless a legal obligation requires limited retention.

Security and diagnostic logs

Only as long as necessary for security and troubleshooting.

07

Your rights

Under the GDPR (AVG) you have the right to:

Access your data
Have it corrected or deleted
Restrict or object to processing
Receive a copy in a portable format
Withdraw consent at any time
Object to direct marketing — we will stop immediately

To exercise any right, email us at taal.coffee@gmail.com or ask in-store; we respond within one month.

You also have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), although we would appreciate the chance to resolve your concern first.

08

Changes to this notice

We may update this notice from time to time, for example when the program or the law changes. The current version is always available at taal.coffee/privacy and via your digital card. We will inform you of material changes through the card or by email.